Counter-Example Guided Abstraction Refinement Based Test Case Generation From Simulink/Stateflow Models

ABSTRACT

A method for verifying reachability of a transition path between states with respect to Simulink/Stateflow models; (a) a concrete simulation model is generated and an abstract model is generated; (c) an abstract path is generated that is a sequence of transition steps from a start state to a target state; (d) a validity of the abstract path is checked utilizing the concrete simulation model; (e) a result is output to a user that identifies the abstract path as a reachable result; (f) partitioning a respective state of the transition step that was invalid in the abstract path; (g) recomputing a next abstract model based on partitioned start state; (h) generating an next abstract path; (i) determining whether the next abstract path is valid; (j) outputting a result to the user that identifies whether the recomputed abstract path is a valid result; otherwise proceeding to step (f).

BACKGROUND OF INVENTION

An embodiment relates generally to verification of input and output response signals in vehicle systems.

In automobiles, numerous functional systems are handled by electronic and control software applications. Such systems utilize distributed real-time embedded software systems that require high integrity development and verification processes.

Vehicle software systems are typically created as an initial abstract model of a controller which is then validated using physical testing or formal verification and are refined iteratively. Test sequences created to test each of the software applications by their input and output responses are applied to a device, subsystem, or system utilizing an actual vehicle or test bed. Physical testing requires setup of the test bed or physical components in an actual vehicle using actual hardware required for testing or validation. Simulation provides an alternative to actual hardware and test setup, however, verification of vehicle system test models for implementation in vehicle systems is subject to the issue of state-space scalability. That is, in testing a model using simulation, scalability of testing (i.e., expansion of testing data to cover all need test cases) may increase exponentially thereby creating a very time consuming and costly process.

SUMMARY OF INVENTION

An embodiment contemplates a method for verifying reachability of a transition path between states with respect to Simulink/Stateflow® models. (a) generating a concrete simulation model as a transition system; (b) generating an abstract model; (c) generating an abstract path that is a sequence of transition steps from a start state to a target state; (d) checking a validity of the abstract path utilizing the concrete simulation model; (e) outputting a result to a user that identifies the abstract path as a reachable result; otherwise (f) partitioning a respective state of the transition step that was invalid in the abstract path; (g) recomputing a next abstract model based on partitioned start state in step (f); (h) generating an next abstract path; (i) determining whether the next abstract path is valid in the concrete model; (j) outputting a result to the user that identifies whether the recomputed abstract path is a valid result for testing the concrete model in a vehicle system; otherwise proceeding to step (f).

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an exemplary state diagram illustrating a transition in predicate form.

FIG. 2 is an exemplary state diagram of a transition system.

FIG. 3 a is an exemplary state diagram of an initial abstraction.

FIG. 3 b is an exemplary refined state diagram of the initial abstraction.

FIG. 4 a is an initial abstraction path for a model fsa(α⁰) as Ã₀.

FIG. 4 b is a refinement of the initial abstract path in FIG. 4 a.

FIG. 5 a is a two-state abstraction of the transition system in FIG. 2.

FIG. 5 b is an abstract model obtained by refinement of FIG. 5 a.

FIG. 5 c is a second refinement of the abstract model of FIG. 5 a.

FIG. 6 illustrates a reachability approach.

DETAILED DESCRIPTION

The invention includes a method of verification of a reachability of transition system models. The embodiments described herein utilize a counter-example guided abstraction refinement (CEGAR) based method for checking reachability properties of Simulink® models which is a commercially available modeling tool for simulating and analyzing multidomain dynamic systems. Simulink® models are considered having underlying transition system semantics. The technique described herein is based on finite state abstractions built from partitions of state space of the transition system and the refinements of such abstractions by splitting of partitions based on an infeasible transition. The system for executing the technique as described herein utilizes at least one processor, a memory, and an output display device for outputting results to a user, a human machine interface for allowing a user to input control commands, and test device such as a test harness for checking the validity of modeled results on a hardware device. The processor may perform the following functions that include, but are not limited to, path generation, translation between a SL/SF model and a concrete model, validity checking, and model refinement.

The embodiments describe herein utilize concrete and abstract models. A transition system, represented as M, is a set of elements that include (1) a set of variables V, (2) an initial condition I, and (3) a transition relation (T).

The set of variables V include a set of input variables V_(?) and a set of output variables V_(!); both these subsets have no element in common. Each variable υεV takes values from a domain D_(υ). For a set of variables Z⊂V, the set of valuations of the variables in Z will be denoted by D(Z)

x_(υεz)D_(υ). The state space of M is thus Γ

D(V).

The initial condition I is a predicate on the output variables in V. That is, I is a map:I:D(V_(!))→BOOLEAN. A valuation of variables in V_(!) is assigned the value of true provided the valuation satisfies the predicate denoting the initial state. I can also be denoted as the set of states (⊂Γ) satisfying the initial condition. Both these usages are mutually compatible.

The transition relation T is a predicate on V and V′ where V′={v′|vεV}. That is T is a map:T:D(V)xD(V)→BOOLEAN. Intuitively, for a variable υ, υ and υ′ denote the pre-transition and post-transition values of that variable. Analogous to the case with I, a set interpretation can be T⊂Γ×Γ. Valuations of the variable V are referred to as “states” in the transition system (i.e., sεΓ). This includes input variables as well as output variables. This transition relation is expressed as a disjunctive combination of guard-action pairs {(g_(i),a_(i))}. In general, a guard g_(i), can be a predicate on V and V′ (i.e., g_(i) ⊂Γ×Γ). An action a_(i) is a set of equation of the form v′=e(V,V′)², where vεV_(!) and each variable in V_(!) occurs exactly once on LHS, and e(V,V′) is an expression on V and V′ that evaluates to a value in domain D_(v). Such an action a_(i) can be translated to an equivalent predicate u_(i) on V and V′, i.e., u_(i) ⊂Γ×Γ. Refer to FIG. 1 which shows a transition in predicate form. The transition in predicate is represented by (g,u)=(v₁=v₂′

v₂=5

v₃=1, v₁′=5

v₂′=v₁′+2) where V_(!)={v₁, v₂} and V_(?)={v₃}.

Valuations of the variables V are called the states of the transition system, sεΓ. Note that this includes input as well as output/internal variables. The notation s|z will refer to the projection of the state onto the set Z⊂V (i.e., it denotes the notation of the variables in Z).

A labeled trace of a transition system is a sequence s₁, l₁, s₂, l₂ . . . such that s₁εI. and ∀_(j)≧1:T_(j)(s_(j), s_(j+1)). A trace is a sequence s₁, s₂, . . . such that ∃l₁, l₂; and s₁, l₁, s₂, l₂ . . . as a labeled trace. A labeled trace if finite length will be called a finite (labeled) trace.

M is considered deterministic if:

∀s ₁ ,s ₂ ,s ₃ εΓ:T(s ₁ ,s ₂)

s ₂ |v _(!) =s ₃ |v _(!)

M's transitions T_(l) are said to be disjoint if:

∀l ₁εrange(λ),s ₁ ,s ₂ εΓ:T(s ₁ ,s ₂)

Al ₂εrange(λ),s ₃ εΓ:l ₁ ≠l ₂

T _(l2)(s ₁ ,s ₃)

s ₂ |v _(!) =s ₃ |v _(!)

In general, determinism and disjointness do not imply one-another. But if M is deterministic but its transitions are not disjoint, then the following holds:

∀l ₁ ,l ₂εrange(λ),s ₁ ,s ₂ ,s ₃ εΓ:T _(l1)(s ₁ ,s ₂)

T _(l2)(s ₁ ,s ₂)

s ₂ |v _(!) =s ₃ |v _(!)

This simplifies the process to generate a deterministic M's transitions disjoint by partitioning S based on such pairs of states that are connected by multiple T_(ls), and extending this partitioning to the T_(ls) that overlap. If M is non-deterministic, a trace of it can correspond to multiple labeled traces.

The model is referred to as an automata which studies abstract machines and computational problems using abstract machines. The automata utilizes states and transitions. The automata described herein utilizes five units (Σ, S, I, δ, F), where τ is an alphabet, S is a set of states, I⊂S is the set of initial states, F⊂S is the set of final states, and δ⊂S×Σ×S is the transition relation. The automata is finite if S is finite. Derivations of the automata are defined as paths from a state in I to a state in F.

For an automata A₁=(Σ, S₁, I₁, δ₁, F₁) and A₁=(Σ, S₂, I₂, δ₂, F₂), a relation H⊂S₁×S₂ is called a simulation relation if for all (s₁, s₂)⊂H. For every transition from s₁, there is a corresponding transition from s₂, that is the following holds that for all l and s₁′ s.t., (s₁, l, s₁′)εδ₁, there exists s₂′ s.t., (s₂, l, s₂′)εδ₂ and (s₁′, s₂′)εH.

A definition (definition 3) is set such that an automation A₂ is said to be an abstraction of automation A₁, written A₂>A₁, when there exists a simulation relation H such that:

-   -   for all s₁εI₁ there exists an s₂εI₂ s.t., H(s₁, s₂), and     -   for all s₁, s₂ if s₁εF₁ and (s₁ s₂)εH then (s₂εF₂),         A theorem (theorem 1) can be derived as follows: if A₂>A₁ and s₁         ¹, l₁, s₂ ¹, l₂, . . . , s_(m) ² (s₁ ¹εI₁ and s_(m) ¹εF₁) is a         derivation A₁, then there exists a corresponding derivation s₁         ², l₁, s₂ ², l₂, . . . , s_(m) ², in A₂). Therefore, when A₂>A₁,         A₂ is often called an existential abstraction of A₁, since any         derivation of A₁ is also guaranteed to exist in A₂.

Given the automata, the transition system M, and the set of states F⊂S, a determination is made whether F is reachable in M. If F is reachable, a witness trace is returned. F will be given as a predicate on V, but F can also be denoted as a subset of S. Therefore, F is denoted as either a predicate or the corresponding set.

The objective is to find a path in a possibly infinite state automata A_(M,F), where A_(M,F)

(range(λ), S, I, δ, F) and δ(s₁, l, s₂)

T_(l)(s₁, s₂). It should be understood that every finite labeled trace of the transition system M ending is a state in F is a path (derivation) of A_(M,F), and vice versa.

Once the automata has been defined, the predicate abstraction of the transition system models is considered. The abstract models are a finite state automata related to A_(M,F) via ≧. To do so, assumptions are made such I≠0 and F≠0. If this were not true, then there would be no problem to solve. Secondly, I∩F≠0. If this were not true, then the problem could be trivially solved. The abstract model will be defined in terms of a set of abstract states {tilde over (S)} and its connection with S, which is the state space of the concrete model since abstract models are defined in terms of partitions of the state space of the concrete model.

A definition (definition 4) is set so that a partition of S is a tuple ({tilde over (S)}, α) such that {tilde over (S)} is a set and α:S→{tilde over (S)} is an onto map. For a partition ({tilde over (S)}, α) we define b:S→2^(s) as β:({tilde over (s)}). Note that β({tilde over (s)}) can also be expressed as a predicate on the variables V. The partition ({tilde over (S)}, α) will be denoted by ({tilde over (S)}, b).

An abstract model can be viewed as a finite state automata (FSA) that is defined in terms of partition. Given a partition ({tilde over (S)}, a) of S, the corresponding FSA abstract model is defined as fsa(α)

(range(λ), {tilde over (S)}, Ĩ, {tilde over (δ)}, {tilde over (F)}) where:

Ĩ

{{tilde over (s)}|β({tilde over (s)})

I}

{tilde over (F)}

{{tilde over (s)}|β({tilde over (s)})

F}

It is possible that {tilde over (F)}=0, which would mean that the abstraction is useless. To prevent, at least one of the elements of the partition is needed, β(s), to be such that in implies F. A natural way to achieve this is to ensure that the partition ({tilde over (δ)}, α) respects F (i.e., any element of the partition either contains no element from F of all the element are from F. A most simplistic way to realize this is to keep F itself as one of the partitions. As a result, {tilde over (δ)} captures the possibility of a transition in M such that:

{tilde over (δ)}({tilde over (s)} ₁ ,l,{tilde over (s)} ₂)

∃s ₁εβ({tilde over (s)} ₁),s ₂εβ({tilde over (s)} ₂):T _(l)(s ₁ ,s ₂)

As a result, the following Theorem (theorem 2) can be derived:

fsa(α⁰)≧_(α) ₀ _(,β) ₀ Ã _(M,F).

From the fact that {(s, α(s))|sεS} forms a simulation. fsa(α) is thus an existential abstraction of A_(M,F). For example FIG. 2 shows a transition system, FIG. 3 a shows an initial abstraction for FIG. 2, and FIG. 3 b is its refinement. From Theorem 1, the following is derived:

For an FSA Ã≧A_(M,F), the abstract path corresponding to a concrete path s₁, l₁, s₂, l₂, . . . is α(s₁), l₁, α(s₂), l₂, . . . , and if s_(i)εF then the corresponding α(s₁)ε{tilde over (F)}.

For an automation Ã as per definition 5, the following can also be derived Ã≧_(α,β)A_(M,F).

The following definition (definition 6) can also be determined. In an abstraction Ã, for any triple {tilde over (t)}=

{tilde over (s)}₁l{tilde over (s)}₂

({tilde over (s)}₁, s₂ε{tilde over (S)}, and lε range(λ)):

-   -   {tilde over (t)} is a valid transition if ∃s₁εβ({tilde over         (s)}₁), s₂εβ({tilde over (s)}₂):T_(l)(s₁, s₂);     -   {tilde over (t)} is an impossible transition if not ∃s₁εβ({tilde         over (s)}₁), s₂εβ({tilde over (s)}₂):T_(l)(s₁, s₂);     -   {tilde over (t)} is an always valid transition if ∀s₁εβ({tilde         over (s)}₁):∃s₂εβ({tilde over (s)}₂):T_(l)(s₁, s₂).

Note that the relation {tilde over (δ)} includes precisely the set of all valid transitions. The notion of always valid transitions will be useful in a sequel.

To check reachability of a F in the transition system M, a counter-example guided abstraction refinement (CEGAR) based technique is used, particularly in Simulink® models. Algorithm 1, as shown below, illustrates a basic CEGAR approach to check reachability of F in the transition system M. The initial abstraction can be any automation built, as per definition 5, from a partition of the state space.

Algorithm 1 Input: M ≡ (V,I,T) a concrete model, F a set of states of M . Output: (r, τ) a pair, where r is a Boolean and τ is an execution path of M ({tilde over (S)}₀, β₀) := a partion of S (that respects F ) Ã₀ := fsa (β₀); p := 0 ; while true do    Ã_(p) ≡ (L,{tilde over (S)}_(p),Ĩ_(p),{tilde over (δ)}_(p),{tilde over (F)});    σ_(p) := findpath(Ã_(p));    if σ = NULL then       return( false,NULL);    (b,τ,stp) := checksimulation(M,σ_(p),β_(p));    if b then       return(true,τ)    stp ≡ ({tilde over (s)}_(b),l,{tilde over (s)}_(e))    l* Partitioning,to compute new partition * /    S_(p+1) := s_(p) −{{tilde over (s)}_(b)} ∪ {{tilde over (s)}_(b1),{tilde over (S)}_(b0)};    β_(p+1) := partition (β_(p),stp,{tilde over (s)}_(b1),{tilde over (s)}_(b0));    l * Computing new initial states * /    if {tilde over (s)}_(b) ε Ĩ_(p) then       Ĩ_(p+1) := Ĩ_(p) − {{tilde over (S)}_(b)};       if (β_(P+1) ({tilde over (S)}_(b0))∩I ≠ φ)then Ĩ_(p+1) :=Ĩ_(p+1) ∪{{tilde over (s)}_(b0)};       else Ĩ_(p+1) :=Ĩ_(p+1) ∪{{tilde over (s)}_(b0)};    else       Ĩ_(p+1) :=Ĩ_(p);    l* Computing new transition relation* /    {tilde over (δ)}_(p+1) :=recompute(Ã_(p),M,β_(p+1),S_(p+1));    Ã_(p+1) :=(L,{tilde over (S)}_(p+1)I_(p+1),{tilde over (δ)}_(p+1),{tilde over (F)});    p := p+1; end

The steps used in algorithm 1 are described herein. A findpath takes an automata Ã as an argument and returns a derivation σ, which is NULL if there is no derivation of Ã. If there is a derivation of Ã, then σ={tilde over (s)}₁, l₁, {tilde over (s)}₂ . . . , {tilde over (s)}_(n) such that s₁εĨ, s_(n)εF, and s_(i)ε{tilde over (F)} for i<n. This technique involves only a graph search. The automata Ã is viewed as a graph with its states being nodes, and transitions being edges. The objective is to find and return a path in the graph from a node in Ĩ to a node in {tilde over (F)}. It should be understood that the set of final states {tilde over (F)} is the same throughout. This is valid because a path is always chosen that contains a state in {tilde over (F)} only as a last state.

The next step is a checksimulation which checks if there is a valid finite labeled trace of M (e.g., a path in A_(M, F)) corresponding to a. For σ

{tilde over (s)}₁, l₁, {tilde over (s)}₂ . . . {tilde over (s)}_(n) ({tilde over (s)}₁εĨ and {tilde over (s)}_(n)ε{tilde over (F)}), a check made whether there is a trace of M of the form {tilde over (s)}₁, l₁, {tilde over (s)}₂, l₂, {tilde over (s)}_(n) such that ∀1≦i≦n:s_(i)εβ({tilde over (s)}_(i)). If there is a trace τ, then the procedure returns

true, τ, _

. If there is no such trace, then the procedure returns

false, _,

{tilde over (s)}_(k), l_(k), {tilde over (s)}_(k+1)

, where k is the smallest index j(1≦j≦n) such that there is no trace of M of the form s₁, l₁, s₂l₂ . . . s_(j+1) with ∀1≦i≦n:s_(i)εβ({tilde over (s)}_(i)). The checksimulation as described herein is iteratively shown in the algorithm 2 shown below:

Algorithm 2: Procedure checksimulation Input : M a concrete model, σ an abstract trace Output : 

 b, τ,stp 

Let σ[i]= 

s_(i),l_(i),s_(i) + 1 

 ; assert(I 

 β ({tilde over (s)}₁)); i:=1; while i≦length (σ)−1do;      assert(step(T_(li),i−1));      assert(step(β({tilde over (s)}_(i+1)),i));       

 b,τ 

 :=check( );      if 

 b then        return 

false,NULL,σ[i] 

end return 

 true,τ,NULL 

 ;

In Algorithm 2, the assert (P) means the predicate of P is assumed. Routine check( ) indicates whether the predicates that have been assumed as of that point in time are satisfied. For σ as described above, will indicate that there are n−1 iterations, and a number of n calls to a suitable decision procedure.

The predicates that are asserted are drawn from M. It should be understood that variable occurrences in the predicates have to renamed in some manner. For example, if variable υ occurs in β({tilde over (s)}₁) and β({tilde over (s)}₂), these occurrences correspond to values of υ at different steps, and more particularly, that these values could be connected by the transition predicate T_(l) ₁ . These predicates are asserted such that distinct occurrences and the connections are accounted for correctly. This is accounted for using a renaming scheme based on indices into the path of interest σ. This is formalized using the function step show at lines 5-6 in the algorithm shown in Algorithm 2.

A next definition (definition 7) is derived. Definition 7 states that xx returns a formula that is the same as xx but with every variable occurrence replaced by an occurrence of the same variable for xx steps further ahead.

It is noted that if a particular

{tilde over (s)}_(k), l_(k), {tilde over (s)}_(k+1)

is an always valid transition, that its validity check shown at lines 8-10 in FIG. 2 is unnecessary. Therefore, if this information is known without checking for it and without the overhead of maintaining it, then computation time and power is saved since a decision procedure check is not required. As a result, this is exploited in optimizing the reachability technique.

The next step is a partition which is represented by β

{tilde over (s)}_(b), l, {tilde over (s)}_(e))

{tilde over (s)}_(b1), {tilde over (s)}_(b0). The partition returns the modified map β′, which is computed as follows:

P _(r1)=β({tilde over (s)} _(b))

Pre(β({tilde over (s)} _(e))T _(l))

P _(r1)=β({tilde over (s)} _(b))

Pre(β({tilde over (s)} _(e))T _(l))

β′:=β−{{tilde over (s)} _(b)

_(—) }∪{{tilde over (s)} _(b1)

Pr ₁ ,{tilde over (s)} _(b0)

Pr ₀}

where

Pre(X,T _(l))

step(X,1)ΛT _(l) ⁴

Pre(X, T_(l)) captures the condition taking the transition T_(l), the model M can be in some state in X. Then,

Pre(X, T_(l)) captures the condition taking the transition T_(l), the model M is guaranteed not to be in some state in X. If model M is deterministic, then Pre is equivalent to the weakest-precondition, i.e., from any state in Pre(X, T_(l)) transition T_(l) is guaranteed to result in a state in X. In general, for the weakest pre-condition WP(X, T_(l))

step(X,1)

T_(l)

(step(

X,1)

T)⁵, where the second term takes care of possible non-determinism. If model M is deterministic, then this term will be true, and thus Pre and WP are identical.

A next definition (definition 8) may be derived as follows. New states {tilde over (S)}_(b1) where Pre with respect to the failed transition is true will be called the true-partition with respect to

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

, and the new state {tilde over (s)}_(b0) where Pre with respect to the failed transition is false will be called the false-partition with respect to

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

. It is noted that if an abstract state {tilde over (s)}εS is the false-partition with respect to some

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

, then

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

is an impossible transition. Similarly, if an abstract state {tilde over (s)}ε{tilde over (S)} the true-partition with respect to some

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

and if

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

is deterministic, then

{tilde over (s)}_(b), l, {tilde over (s)}_(e)

is always a valid transition. It should also be noted that a deterministic M does not mean that the abstract FSAs Ã_(p) are deterministic. Rather the FSAs Ã_(P) are invariably non-deterministic.

The next step is a recompute represented by (Ã, M, β′, S′). In a recompute, the routine returns a transition relation δ′ over the new set of abstract states S′. From definition 5, it should be clear that for {tilde over (s)}₁, {tilde over (s)}₂εS′, {tilde over (δ)}′({tilde over (s)}₁, l, {tilde over (s)}₂)

∃s₁εβ′({tilde over (s)}₁), s₂εβ′({tilde over (s)}₂):T_(l) (s₁, s₂). In practice,

({tilde over (s)}₁, l, {tilde over (s)}₂)

is added to δ′ whenever Pre(β′({tilde over (s)}₂), T_(l))

β′({tilde over (s)}₁) is unsatisfiable (i.e., if

({tilde over (s)}₁, l, {tilde over (s)}₂)

is a valid transition).

The recompute step computes a succession of FSAs Ã₀, Ã₁, . . . , Ã_(p). The following is a possible result obtained for the algorithm. For every ({tilde over (S)}_(p), β_(p)) produced by algorithm 1 is a partition. That is, by induction of the sequence Ã₀, Ã₁, . . . , Ã_(p) . . . , the base case is not true trivially (from line 1 of Algorithm 1). For the induction step, assume ({tilde over (S)}_(p), β_(p)) is a partition. ({tilde over (S)}_(p+1)) is obtained by partitioning one of the states of {tilde over (S)}_(p) (lines 13-14 of Algorithm 1) and hence it is also a partition of S.

As a result, the following theorem (3) may be derived: every Ã_(p) is produced by algorithm 1 satisfies Ã_(p)≧_(a) _(p) _(,β) _(p) Ã_(M,F), where ({tilde over (S)}_(p), β_(p)) is a partition of S. Ã_(p) is obtained by computing its transition relation as per definition 5. Therefore, from Theorem 2, this is a valid transition.

The following theorem (4) may be derived: Ã_(p)≧Ã_(p+1), for p≧0; (4) if M is deterministic and its transitions are disjoint; the first part of the theorem may be proved. Consider a map

H⊂S _(p+1) ×{tilde over (S)} _(p)

{({tilde over (s)},{tilde over (s)})|{tilde over (s)}≠{tilde over (s)} _(b)

{tilde over (s)}·{tilde over (s)} _(b0)

{tilde over (s)}≠{tilde over (s)} _(b0)

{tilde over (s)}≠{tilde over (s)} _(b1) }∪{{tilde over (s)} _(b0) ,{tilde over (s)} _(b)),({tilde over (s)} _(b1) ,{tilde over (s)} _(b)).

It is a simulation since for all ({tilde over (s)}′, {tilde over (s)})εH, every transition from {tilde over (s)}′ in Ã_(p+1) has a corresponding transition from {tilde over (s)} in Ã_(p) (due to recompute). It is also satisfies the condition of definition 3 (lines 15-20 of Algorithm 1) and hence the results hold.

The second part follows from the fact that there exists no simulation relation H⊂S_(p+1)×{tilde over (S)}_(p). If M is deterministic and its transitions are disjoint, then for any Ã_(p) (p≧1) and for the state sεS_(p) that is the true-partition that was introduced in Ã_(p) with respect to some

({tilde over (s)}_(b), l, {tilde over (s)}_(e))

of Ã_(p−1,) then the following are true:

-   -   (1) Y has exactly one transition out of it (i.e., |δ_(p)({tilde         over (s)}, _, _), and it is         ({tilde over (s)}, l, {tilde over (s)}_(e))         .     -   (2)         ({tilde over (s)}_(b), l, {tilde over (s)}_(e))         is always a valid transition.     -   (3) s will not be partitioned in any of the FSAs Ã_(p) (q≧p).

For any Ã_(p), if the partition is on the first state of the abstract path then, the false-partition will be an initial state in Ã_(p+1), and the true-partition will not be partitioned. That is, for σ={tilde over (s)}₁, {tilde over (s)}₂, . . . , s_(n), if the partition is on

({tilde over (s)}, l, {tilde over (s)}_(e))

, then the false partition {tilde over (s)}₁₀ will be in Ĩ_(p+1) and the true-partition {tilde over (s)}₁₁ will not be in Ĩ_(p+1).

The following is a proof. It is obvious that {tilde over (s)}₁ is an initial state of Ã_(p+1). Assume that {tilde over (s)}₁₁ is an initial state of Ã_(p+1), then from Algorithm 1, lines 17-18, if follows:

I

β _(p+1)({tilde over (s)} ₁₁) is satisfiable;

I

β _(p)({tilde over (s)} ₁)

step(β_(p)({tilde over (s)} ₂),1)

T _(l) is satisfiable.

This implies that the first transition

{tilde over (s)}₁, l, {tilde over (s)}₂

of a was valid in M (lines 1-3 and the first iteration of lines 5-9 of Algorithm 2 checks exactly the above condition). However, this contradicts with the fact that the partition happened on this transition and hence it was found to be infeasible. As a result, the assumption is wrong and {tilde over (s)}₁₁ is not an initial state of Ã_(p+1). Therefore, since an initial state {tilde over (s)}₁ was partitioned to obtain {tilde over (s)}₁₁ and {tilde over (s)}₁₀, {tilde over (s)}₁₀ will be an initial state of Ã_(p+1).

FIG. 3 a illustrates an initial abstraction, and the aim is find a trace to reach the concrete state satisfying a predicate y=2. The routine findpath ( ) produces an abstract trace σ₀={tilde over (s)}₁, T₂, s₂. The routine checksimulation ( ) finds if this is a valid trace in the concrete model. The computations are as follows:

assert(I

β({tilde over (s)}))=x=0

y≠2

assert(step(T ₂,0))=y<2=0

y′=y+1

assert(step(β({tilde over (s)} ₂),1)=y′=2

Routine check ( ) finds that the above constraints are unsatisfiable. For the refinement, node {tilde over (s)}₁ is split to produce states {tilde over (s)}₁₀ and {tilde over (s)}₁₁.

Pre(β({tilde over (s)} ₂),T ₂)=step(β({tilde over (s)} ₂),1)

T ₂ =y′=2

y′=y+1

i.e., Pre(β({tilde over (s)}₂), T₂)=y+1 i.e., β(ś₁₁)=y=1

y≠2 and β({tilde over (s)}₁₀)=≠1

y≠2

FIG. 3( b) illustrates a refined model. The routine recompute ( ) computes the transitions of the refined model. In the next iteration, the new abstract trace is σ₀={tilde over (s)}₁₀, T₁, s₁₁, T₂, {tilde over (s)}₂. Thereafter, a checksimulation ( ), performs the following computations:

assert(I

β({tilde over (s)} ₁0))=x=0

y≠1

y≠2

assert(step(T ₁,0))=x=0

x′=x+1

y′=y=+1

assert(step(β({tilde over (s)} ₁₁),1)=y′=1

y′≠2

assert(step(T ₂,1))=y′<2

y″=y ¹+1

assert(step(β({tilde over (s)} ₂),2)=y″=2

The above assertions are satisfiable, which indicates that a trace to the desired state in the concrete model is found.

In Algorithm 1, the partition used to define the initial abstraction was left unspecified (e.g., line 1). The unspecified partition is corrected and the consequences of the algorithm are derived. The assumptions are that (1) the transition T is deterministic, and (2) a findpath always selects an acrylic path. For a given set of states F, the partition ({tilde over (S)}⁰, β⁰) is defined as follows:

{tilde over (S)} ⁰ ={s _(I) ⁻⁰ ,s _(F) ⁻⁰}

β⁰(s _(I) ⁻⁰)

F,

β⁰=(s _(F) ⁻⁰)F

That is,

${\alpha^{0}(s)} = {\begin{Bmatrix} s_{I}^{- 0} & {{{if}\mspace{14mu} s} \notin F} \\ s_{F}^{- 0} & {{{if}\mspace{14mu} s} \in F} \end{Bmatrix}.}$

An existential abstraction fsa(α⁰) is obtained by applying the following definition to the partition ({tilde over (S)}⁰, β⁰). The following is a result from Theorem (2):

fsa(α⁰)≧_(α) ₀ _(,β) ₀ Ã _(M,F).

Algorithm 1 is considered ({tilde over (S)}⁰, α⁰) with as the initial partition at line 1. A number of observations can be made regarding the FSAs Ã_(p) computed by the algorithm. These observations are analyzed as follows:

Algorithm 1 is applied with the model fsa(α⁰) as Ã₀. Then in the first iteration of the loop (p=0), a path σ₀ (if it exists) will be of the form s_(I) ⁻⁰, l₁, s_(F) ⁰ as shown in FIG. 4 a. If this is infeasible, then the start state of σ₀ will be partitioned (i.e., the initial state s_(I) ⁻⁰. This will provide two new states, a false partition {tilde over (s)}₀ and a true-partition {tilde over (s)}₁. {tilde over (s)}₀ will become the new initial state. {tilde over (s)}₁ will have only a single transition out of it, namely s_(I) ⁻⁰, l₁, s_(F) ⁻⁰, and this will always be valid in M. As a result, this generates a new FSA Ã₁, in which there are two kinds of acrylic paths possible to s_(F) ⁻⁰ as shown in FIG. 4 b, {tilde over (s)} ₀, l₂, {tilde over (s)}₁, l₂, s_(F) ⁰ or {tilde over (s)}₀, l₃, s_(F) ⁻⁰ (for some l₂, l₃). In both instances, the start state (and initial state) {tilde over (s)}₀ will be partitioned in case the path is infeasible, and the new initial state (of Ã₂) will again be the false-partition while the true-partition will have a single valid transition out (i.e., that either to s_(F) ⁻⁰ or to the other true-partition state {tilde over (s)}₁). The models Ã_(p) all have initial and final state sets as singletons, and that the refinement always happens on the start state of an acyclic path (that is also the initial state). Ã_(p) also has the property that all the states apart from the initial and final states are true-partitions. The validity of the acrylic path is checked and only the first transition has to be checked.

In Theorem (5), the assumption is for any Ã_(p), Ĩ_(p), and {tilde over (F)}_(p) are singletons. This can proved by induction sequence Ã₀, . . . , Ã_(p). The base case p=0 is trivially true from construction of ({tilde over (S)}⁰, α⁰). Consider an induction step. Assume that the result holds for Ã_(p). Then Ã_(p+1) is obtained by partitioning exactly one state {tilde over (s)}_(b) (into true-partition {tilde over (s)}_(b1) and false-partition {tilde over (s)}_(b0)) of Ã_(p) to get {tilde over (S)}_(p+1), β_(p+1). If {tilde over (s)}_(b) is not the initial state of Ã_(p), then neither of the new states is an initial state (lines 15-20 of Algorithm 1), and hence the result holds of Ã_(p+1) If {tilde over (s)}_(b) is the initial state of Ã_(p′), and since only acyclic paths are chosen and since {tilde over (s)}_(b) is the only initial state of Ã_(p′), then {tilde over (s)}_(b) is the first state on the abstract path σ_(p). It is clear that only the false-partition {tilde over (s)}_(b0) will be an initial state of Ã_(p+1) and thus Ĩ_(p+1) is a singleton. Regarding the final state, since Ã_(p) has only one final state, this will necessarily occur as the last state on the path σ_(p), and will never be split. Therefore, Ã_(p+1) will have the same unique final state as Ã_(p). The result holds for Ã_(p+1).

In going forward, the state of Ã_(p) will only be referred to as ĩ_(p), while only the final state will be {tilde over (s)}_(F) ⁰ (since it was shown above that the final state of Ã_(p+1), is the same unique final state as Ã_(p), and the final state is Ã⁰'S final state.

Theorem (6) states that for any Ã_(p), each non-initial non-final abstract states corresponds to a true-position (introduced in some Ã_(q), 1≦q≦p). This can be proved by induction on the sequence Ã₀, . . . , Ã_(p) . . . . The base case (p=0) is trivially true from construction of) ({tilde over (S)}⁰, α⁰), which has no non-initial non-final states. Consider an induction step. Assume that the result holds for Ã_(p) A. Then from the assumption (theorem 5), we also know that the σ_(p) has a unique initial state ĩ_(p) and a unique final state s_(F) ⁻⁰. Then any acyclic path σ_(p) that we choose in Algorithm 1 begins with ĩ_(p), ends with s_(F) ⁻⁰, and has all intermediate states (if any) as true-partition states. It is readily understood that all transitions in σ_(p) except the first are always valid transitions. This means that if σ_(p) is infeasible, then it is because of the next transition (i.e., this is what checksimulation will return as stp) and hence the portioning will happen on the start state ĩ_(p). It is clear that among the new states, the false-partition will become the new initial state (of Ã_(p+1)). The result holds for Ã_(p+1).

In both the above proofs, the induction step will go through regardless of what the initial abstraction was (it requires only deterministic M). This means that any initial partition that has the above properties will suffice. The simplest partition is selected.

Theorem (7) states that for any acyclic path σ_(p) in Ã_(p), all the transitions except the first are always valid transitions.

Theorem (8) states that for any Ã_(p) and any acyclic path σ_(p), the partitioning, if any, will happen on ĩ_(p) and moreover as the first abstract state of σ_(P). This is proved in that partition will be on ĩ_(p) is a corollary of Theorem 7. For acyclic paths σ_(p), the unique initial state ĩ_(p) occurs only as the first state on the path (from Theorem 5). Therefore, ĩ_(p) since will be partitioned, the partition is always on the first state for acyclic σ_(p).

Based on the above results, the following improvements are possible for the algorithm.

Improvement (A): based on theorem 6, Ã_(p) only needs to choose a non-loop edge out of the node corresponding to ĩ_(p) in the graph corresponding to Ã_(p). The rest of the path is uniquely determined. This simplifies findpath.

Improvement (B): from theorem 8, the recomputation of initial state after partition is trivial, and is always a false-partition. This means lines 15-20 of Algorithm 1 can be replaced by a single assignment, and this saves a decision procedure call (at line 17).

Improvement (C): from theorem 7, it is clear that checksimulation (8xx) needs to check the validity of only the first transition of σ_(p). This means that a number of decision procedure check calls from length σ_(p) to 1 can be reduced. This should result in significant performance improvements in practice, since the decision procedure checks are always the most expensive part of the algorithm.

Algorithm 3 provides a revised version of the basic algorithm given earlier as Algorithm 1 incorporating improvements as described above. Algorithm 3 is as follows:

Algorithm 3: CEGAR based reachability - revision 1 Input : M a concrete model, F a set of states of M Output :(r,τ) a pair, where r is a boolean and τ is an execution path of M Ã₀ := fsa(α⁰); p:=0; while true do      Ã_(p) ≡ (L,{tilde over (S)}_(p),{{tilde over (ι)}_(p)},{{tilde over (s)}_(F) ⁰});      σ_(p) := findpath_1(Ã_(p));      if σ_(p) := NULL then        return (false,NULL)      

 b,τ 

 :=checksimulation_1(M,σ_(p),β_(p));      if b then        return (true,τ)      stp≡Then first transition of σ_(p),say 

 {tilde over (s)}_(b),l,{tilde over (s)}_(e) 

 ;      {tilde over (S)}_(P+1) := {tilde over (S)}_(p) −{{tilde over (s)}_(b)}∪{{tilde over (s)}_(b1),{tilde over (s)}_(b0)};      β_(P+1) := partition(β_(p),stp,{tilde over (s)}_(b1),{tilde over (s)}_(b0));      Ĩ_(P+1) := Ĩ_(p) −{{tilde over (s)}_(b)}∪{{tilde over (s)}_(b0)};      {tilde over (δ)}_(P+1) := recompute(Ã_(p),M,β_(p+1),S_(p+1));      Ã_(P+1) := (L, {tilde over (S)}_(p+1),Ĩ_(p+1),{tilde over (δ)}_(p+1),{tilde over (F)});      p:= p + 1; end The process starts with the abstraction fsa(α⁰). The process uses the procedure findpath_(—)1 (Algorithm 4) revised from findpath as per improvement (A). Algorithm 4 is as follows:

Algorithm 4: Procedure findpath_1 Input : Ã is FSA Output :σ a path (derivation) of Ã Ã ≡ (L,S,{{tilde over (ι)}},δ,{{tilde over (s)}_(F) ⁰}; /* choose a transition out of the initial state e := 

 {tilde over (ι)},l,{tilde over (s)} 

 s.t., (s ≠ {tilde over (ι)}) if it exists;else NULL; If e = NULL, then   return NULL σ :=[e] /* extend the path to the final state x = {tilde over (s)}; while x ≠ {tilde over (s)}_(F) ⁰ do σ := σ. 

 x, _, y 

 ; x:=y; end return σ;

Algorithm 5 describes a procedure checksimulation_(—)1 (revised from algorithm 2) incorporating the improvement from Improvement (C). Finally as per Improvement (B), the re-computation of the initial state is simplified (i.e., line 14). The procedure partition and recomputed remain unchanged from earlier. Algorithm 5 is as follows:

Algorithm 5: Procedure checksimulation_1 Input : M a concrete model,σ an abstract trace Output : 

 b,τ 

  Let σ[i]≡ 

 {tilde over (s)}_(i)l_(i){tilde over (s)}_(i+1) 

 ; assert (I 

 β({tilde over (s)}₁) 

 T_(l) ); assert (step(β({tilde over (s)}₂),1));

 b,τ 

 :=check ( ); if 

 b then      return 

 false,NULL 

     /*The rest of σ will be valid,with τ as witness.*/ return 

 true,τ 

 ;

In reference to FIG. 5 which is a two-state abstraction of the transition system in FIG. 2, the final state is {tilde over (s)}_(F) ⁰ with predicate x=2 and the initial state {tilde over (s)}₁ is denoted by predicate x≠2 as shown in FIG. 5 a. The abstract trace to reach the final state is

{tilde over (s)}₁, T₃, {tilde over (s)}_(F) ⁰

. This is not satisfiable in the concrete since the transition

T₃

cannot go from x≠2 to x=2 in the concrete. FIG. 5 b is the abstract model obtained by refinement (i.e., the initial state {tilde over (s)}₁ is spit to produce {tilde over (s)}₁₁ and {tilde over (s)}₁₀). The transition from {tilde over (s)}₁₁ to {tilde over (s)}_(F) ⁰ is an always valid transition. Next findpath_(—)1 determines the abstract trace as * is the abstract transition to reach the final state. Since the first transition in this trace is unsatisfiable in the concrete, it implies that the whole trace is unsatisfiable. Hence the initial state {tilde over (s)}₁₀ is split to produce the new states {tilde over (s)}₁₀₁ and {tilde over (s)}₁₀₀, and the abstraction is shown in FIG. 5 c. Findpath_(—)1 finds the new abstract trace as:

s₁₀₀, T₁, {tilde over (s)}₁₀₁, T₂, {tilde over (s)}₁₁, T₃, {tilde over (s)}_(F) ⁰

. Since the first transition of this abstract trace is satisfiable in the concrete it implies that the whole abstract trace is satisfiable in the concrete.

FIG. 6 illustrates a flowchart for determining a reachability of transition system models utilizing an enhanced partition refinement approach.

In step 50, a Simulink/Stateflow® (SL/SF) concrete model is generated for a respective system or subsystem of a vehicle.

In step 51, an abstract model is generated.

In step 52, an abstract path is determined in the abstract model. The abstract path is a sequence of steps from a source abstract state to a target abstract state via a respective transition. This is referred to as a findpath technique.

In step 53, a validity check is performed on the abstract path in the concrete model. If the abstract path is determined to be invalid, then the routine proceeds to step 55. If the abstract path is determined to be valid, then the routine proceeds to step 59 to determine if the abstract path is infeasible from the initial condition.

In step 55, if abstract path was found to be invalid, then the source state associated with the invalid abstract path is partitioned.

In step 56, a new abstract model is recomputed. Recomputing the abstract model includes determining whether each transition out of the abstract state in the current abstract model will be feasible in and out of the partitioned states of the next abstract model. This involves the use of a solver processor such as a Satisfiably Modulo Theory solver for determining a validity of each transition.

In step 57, a next abstract path is generated for the next abstract model.

In step 58, a determination is made whether the abstract path in the concrete model is valid. If the determination is made that the abstract path in the concrete model is valid, then the routine proceeds to step 59. If the determination is made that the abstract path is invalid, then a return is made to step 55 to partition the current source state.

In step 59, the routine ends as a valid path is found from the initial state to the target state. The result is output to a user that identifies whether the recomputed abstract path is a valid result for testing the concrete model in a vehicle system.

While certain embodiments of the present invention have been described in detail, those familiar with the art to which this invention relates will recognize various alternative designs and embodiments for practicing the invention as defined by the following claims. 

What is claimed is:
 1. A method for verifying reachability of a transition path between states with respect to Simulink/Stateflow® models, the method comprising the steps of: (a) generating a concrete simulation model as a transition system by a processor; (b) generating an abstract model by the processor; (c) generating an abstract path by the processor that is a sequence of transition steps from a start state to a target state; (d) checking a validity of the abstract path by the processor utilizing the concrete simulation model; (e) outputting a result to a user by an output device that identifies the abstract path as a reachable result; otherwise proceeding to step (f); (f) partitioning a respective state of the transition step that was invalid in the abstract path by the processor; (g) recomputing a next abstract model by the processor based on partitioned start state in step (f); (h) generating an next abstract path by the processor; (i) determining whether the next abstract path is valid in the concrete model by the processor; (j) outputting a result to the user by the output device that identifies whether the recomputed abstract path is a valid result for testing the concrete model in a vehicle system; otherwise proceeding to step (f).
 2. The method of claim 1 wherein the start state is a current source state of a current abstract model.
 3. The method of claim 2 wherein only the abstract paths having a length less than a threshold are generated to check the validity.
 4. The method of claim 2 wherein all paths are generated to check validity between the source state and the target state.
 5. The method of claim 4 wherein all paths generated are acyclic paths.
 6. The method of claim 1 wherein the simulation model is a SL/SF model.
 7. The method of claim 1 wherein partitioning a respective state is based on a pre-image of the respective state with respect to the transition step.
 8. The method of claim 1 wherein a set of abstract states in an abstract model is a partition of concrete state in the concrete simulation model.
 9. The method of claim 1 wherein the concrete model and transition paths are tested in a vehicle wiring harness for determining validity of input and output responses.
 10. The method of claim 1 wherein the concrete model and transition paths are implemented in a vehicle.
 11. The method of claim 1 wherein step (g) includes a processor determining whether each transition out of the abstract state in the current abstract model will be feasible in and out of the partitioned states of the next abstract model.
 12. The method of claim 11 wherein the processor is a solver.
 13. The method of claim 12 wherein the solver is a Satisfiably Modulo Theory solver. 